> VM to only run a browser in there, to keep the memory under control

For other Linux users out there — a VM is not needed for this, use a cgroup with memory limits. It's very easy to do with systemd, but can be done without it:

  $ systemd-run --user --pty --property MemoryHigh=2G firefox

The kernel will prevent Firefox from using more than 2 GiBs of RAM by forcing it into swap (including all child processes). To quote systemd.resource-control(5):

> Specify the throttling limit on memory usage of the executed processes in this unit. Memory usage may go above the limit if unavoidable, but the processes are heavily slowed down and memory is taken away aggressively in such cases. This is the main mechanism to control memory usage of a unit.

If you'd rather have it OOMed, use MemoryMax=2G.

It's actually very useful for torrent clients. If you seed terabytes of data (like I do), the client quickly forces out more useful data out of the page cache. Even if you have dozens of gigabytes of RAM, the machine can get pretty slow. This prevents the client from doing that.

There are lots of other interesting controllers that can put limits on disk and network I/O, CPU usage, etc.

Interesting - is this possible and/or advisable on MacOS? Browsers - all of them - seem to be among the worst offenders.

Browsers seem mostly to operate under the principle that they're the only program the user wants to interact with, and probably the only userspace program running.

For most folks, they're right.

> cgroup with memory limits. It's very easy to do with systemd, but can be done without it

I prefer lxd for gui programs personally, while probably a tad more effort initially setting up the x11 profile to get gpu acceleration, once that is done you can pop everything into its own linux container using that profile. From there you can control resource limits permanently.

Especially like it for intrusive apps such as discord, zoom, etc which are hard to escape from.

For GUI applications, firejail might be easier to use. It too isolates applications from your system, but comes with a bunch of pre-configured profiles for many popular applications (including proprietary ones), thus requiring zero configuration.

Some of its more interesting features (in addition to the obvious path/privilege restrictions):

- putting the application into a separate network namespace with its own firewall rules/network interfaces (for example, you can force Firefox to work through a VPN connection only, or block incoming connections with your main firewall rules and allow them for a single application)

- using a separate X server for each application (works pretty much transparently)

- setting resource limits (network bandwidth, memory, CPU, I/O; although not as flexible as systemd limits, they can be combined)

- running `sudo firecfg` once will create a bunch of symlinks for all applications installed on your system and supported by firejail. After that, those applications will run under a sandbox automatically. Or you can create them manually (I did it for the PDF reader and such).

https://github.com/netblue30/firejail/

> by forcing it into swap

What if there's no swap (as I believe is the current fashion in desktop envs, unlike servers)?

It does something called reclaim where it halts the running of the program and does an O(n) scan of that processes memory space to find pages that can be dropped (forces dirty writes to complete and drops file cache)

You can also limit memory usage with Windows Sandbox.

ulimit?

If you fine with the process being terminated, then maybe. Although I believe ulimit doesn't account for the page cache (this is not important for browsers, but definitely for torrent clients — they can effectively eat up all your memory even if RSS + SHR never go above a few hundred megabytes). Also not sure how it works for shared memory (which is heavily used by modern browsers), which is definitely accounted for by cgroups (and limited by MemoryHigh/MemoryMax).

ulimit can only control virtual memory caps, not physical memory caps.

I'm using VMs for everything. Disposable, self-destructing VMs for untrusted browsing. Network VM solely for connecting to the Internet, Firewal VM for isolating the network from other parts of my system. Work VM for everything connected to work. Archive VM (with no networking) for storing important files. Banking VM for managing bank accounts. Zoom VM for isolating Zoom from the rest of my system. And so on.

All this works with a great, unified interface on Qubes OS (https://qubes-os.org). See also: https://forum.qubes-os.org/t/how-to-pitch-qubes-os/4499/15.

Me too!

It's nearly worth it for avoiding Google's terrible account switching UX alone :)

I've been using QubesOS as my daily dev machine for a couple of years now. No regrets. I really like that I've set up each of my clients' work in their own VMs, so there's no way one can pollute the other.

Switching back to macOS is a relief for some tasks, but it feels dirty smudging all my different types of task into the one OS again.

What about security? I always thought that it's easy to get into vm from host, but it way harder to get to host from vm. I thought about using VM for security things, but the idea that it easy to get inside vm keeps me from doing it

> I always thought that it's easy to get into vm from host, but it way harder to get to host from vm

That's right.

> but the idea that it easy to get inside vm keeps me from doing it

No! Of course the host is the ultimate dictator. Just don't do untrusted operations in the host context. Have low-trust, low-connectivity, low resource level VM for untrusted work.

You might have it backwards. Most people typically do untrusted actions inside the VM and keep their host “clean”. You’re correct though that VM escapes are pretty difficult, especially with modern, patched microcode processors.

> VM escapes are pretty difficult, especially with modern, patched microcode processors

Most VM escapes happen through buggy virtual-devices written in C/C++/.. code. Virtual-device bugs that are exploitable by attackers with root access in the VM are found frequently.

It's not frequent at all with Qubes hardware virtualization: https://www.qubes-os.org/security/xsa/.

> modern, patched microcode processors

This makes me wonder how many security holes CPUs have which have been buried into secrecy by the manufacturers.

You are right. The host on Qubes OS (dom0) has no networking and never runs any software by default. Also, hardware virtualization which Qubes uses last time was broken in 2006 by its founder: https://en.wikipedia.org/wiki/Blue_Pill_(software).

The hypervisor problem can be solved (in theory) with secure boot configured with custom keys and full disk encryption. I don't know anyone who actually uses Qubes so I don't know how practical that solution is. Coreboot has something similar to secure boot, so even if you use an open source boot loader, this can be done.

An attacker would need to do some quite invasive hardware tampering to get a third party hypervisor to work on a system secured like that.

Furthermore, preventing hypervisor detection requires constant updates if the OS itself is configured to check for the presence of a hypervisor. There's a constant arms race going on between security researchers and cybercriminals who don't want their malware to trigger on analysts' machines, many of which use virtualization to easily reset the system back to a known, secure state. Every time malware comes up with a new method of detection your evil hypervisor needs to be patched to fake that stuff too or you risk detection next time the OS updates its detection algorithms.

This should work with Qubes quite well: https://puri.sm/posts/pureboot-101-first-boot-first-update-a...

See also: https://forum.qubes-os.org/t/verified-boot-on-qubes-a-lofty-...

I just wish Qubes had a simpler architecture, such that dom0 and the Qubes Components could be implemented in eg. Guix or Nix instead of a traditional distro. Love Qubes' desktop integrations.

What do you think prevents changing the distro in the Qubes components? AFAIK it's totally possible, see this: https://github.com/QubesOS/qubes-issues/issues/1919.

Oh, what an issue! There's plenty of context in there, and it's right up my alley. Thanks!

Oh man Qubes looks awesome. I am just addicted to a windows game that doesn't have any linux support :(

Depending on your hardware, you could try GPU passthrough.

is that with virtualbox or something?

With Qubes OS, the context of this thread.

I’m a teacher without a tech background. My role is to schedule a high school timetable.

To do this I have been given software that is single threaded and will only run a single instance, so I have taught myself Hyper-V, and run several VMs with alternative searches simultaneously. These searches can take 12+ hours to run.

The software also runs 25% faster when allocated 2 threads maximum than when 3+ are available…

I have worked with senior software engineers that would never think to do this and do not have the skills to do it if they did. Impressive.

First of all, very impressive :) I AM a techie and I would never have come up with this solution, because I would have become obsessed with how the software knows it's running another instance and trying to hack that.

Second of all,

>These searches can take 12+ hours to run

WTF. What are these searches doing?

Thank you!

The searches are trying to allocate groups of teachers to time slots, subject to the inputted constraints e.g. their students aren’t elsewhere, changing rooms are available if needed, a teacher hasn’t been allocated a different class already etc.

But I can’t tell the software which constraints are hard, which are soft, and which have alternatives we are indifferent about. Hence the need for parallel searches!

This is basically traveling salesman type of problem called Constraint Programming. Plenty of library in this space if this interest you, like OR-Tools: https://developers.google.com/optimization

> >These searches can take 12+ hours to run

> WTF. What are these searches doing?

This is why you're a techie ;)

For a non-techie to pull that off is honestly impressive.

Kudos.

Love these solutions to a problem, well done :)

If the software is FEL, an open source time-tabling software, you can run the gui-less executable. I did it in Linux on a 30× core server, starting 30+ processes.

Edit: read the other answers. In FEL you can specify hard and soft constraints. Search can be long nonetheless...

WSL2 can’t be scanned by my work’s antivirus so node projects build and run at full speed.

(2 minutes for starting the project outside vs 25 seconds inside)

If you're talking about running a node project in WSL2 vs in an emulator or VM etc it might just be that most of the speedup comes from Linux and WSL2 itself, as it's quite fast. What you've mentioned isn't a controlled experiment for testing performance

WSL2 is a VM, though. It was only WSL1 that tried to do a kernel-level shim for the Linux userspace layer.

Antivirus on Windows are notorious at inserting itself as filesystem filters that triggered on every file access, which adds overhead into every read and write action. Combined with node_modules containing gazillion files, I'm surprised his project only loads in 2 minutes :)

I assume he means WSL2 vs node.exe

Does WSL2 on Windows count?

Because 2 years ago I moved back to Windows from MacOS for my daily driver because of WSL2.

I get the same "modern GUI on top, Unix-like shell underneath" experience that I had with MacOS but now I have a 24-core machine with 32GB of RAM for a third (or less) the price of what a similar Mac would have cost me.

Genuine question, why don't you just use desktop linux?

I'm curious as to what pain points make you avoid it. Do you prefer the windows GUI interface? do you not want to deal with with updates breaking your system or having to manage things yourself? or are there programs that you use on windows that aren't available on linux? (or something else).

I want to stress that this is a good faith question. (since it seems flame-war territory adjacent, which I'm not interested in getting into).

Desktop Linux does not run many, many useful apps, and I don't want to continually struggle with drivers and more. If apps do run on Linux, they can often be terrible.

I think the other question is, why would one want to use desktop Linux? With Windows 11 and WSL2, I get both. I can run all my normal apps on Windows 11, and if I really want to run GUI apps on WSL2, I can do that too.

Honestly, Windows plus WSL is the most "just works" platform out there right now. macOS is far too brittle and a compromise between high-level OS and a Unix-like environment. Linux does Linux, obviously, but it struggles as a low-friction, high-level OS.

Will have to "agree to disagree" on your conclusion here.

GNOME 4 is superior to Windows and MacOS as low-friction, high-level OS in my experience. Control panel is clear, if spartan, three finger gestures stolen from MacOS "just work", and the desktop just stays out of the way so I can focus on the applications that I really care about.

I have not had a "struggle with drivers" for over a decade with Ubuntu, Fedora, and Manjaro (YMMV in other distros of course, but it's much more uniform these days), and Windows has become even worse with doing unnecessary BS work in the background slowing down the GUI such that heavyweight desktops like GNOME and KDE feel as svelte as LXDE in comparison.

I honestly can't stand any time I have to use a Windows machine due to how inconsistent the settings are, how many ~200-300ms pauses happen randomly, especially when I'm trying to type, and applications that don't "just work" but only because of the high marketshare I can google a solution. (MacOS is less viscerally disgusting to me, but more disappointing due to all of the "small" bugs that have creeped in despite having 100% control of the hardware in question. Wake-from-sleep shouldn't screw up the Wifi, unplugging and plugging back in an external monitor shouldn't shuffle the window locations, etc.)

You know I totally agree with you on Gnome being superior. Heck, my preferred WM is DWM and I would use it every day if I could. But here I am, on a Mac, just because I just CANNOT deal with another hardware related issue again. I used desktop linux most of my life (ages 12-28). But with a job and a family, I just don't have time for a single second of down time or debugging my computer. Same for android vs iOS. Used Android for 10 years, switched to iOS. Tried to go back with Pixel 3a, and it would freeze up maybe once a month. That's too much for me. My iPhone has frozen up maybe once in 2 years. Before you judge me, I do extensive infra shit at work and fix broken systems all the time. I just cannot deal with it on my personal devices.

No judgment. Same reasoning for me. In 2016 the bugs with MacOS got annoying enough that I looked around again and I had a more stable experience with GNOME 3 on a Dell laptop than anything on MacOS or Windows and switched.

I had way more problems debugging weird crap with the Wifi when walking between meetings with my MacBook Air, annoyed that when I plugged back into my monitor at my desk I would have to rearrange my windows on my desktops again (GNOME 4 puts the windows back where they were if you plug back into the exact same monitor). And dealing with Homebrew BS because Apple likes to break it on OS updates and sometimes it would break randomly on its own while Debian-derived distros never have package issues pushed me back.

Just saying that you really ought to try it out again, and Fedora is a super-polished GNOME experience if you want "Mac-like, but not annoying."

My big issue, and friction generator is that Linux - as a desktop - is always a year or more behind consumer hardware, and it unfortunately perpetually struggles with drivers.

Last time I tried Linux, driver support for my new graphics card was poor, my multi-monitor displayport setup was unsupported, DPI scaling - despite even Windows supporting it well for the previous 5 years - was quite bad (and non-integer scaling especially so). Even my CPU simply didn't work without some custom boot args.

So when it comes to "just works", the year of the linux desktop is here if your hardware is at least 2 years old. There's nothing wrong with 2-year-old hardware, but whenever I get a new computer, I install Windows and it just works, rarely do I ever have a good enough reason to switch to Linux given the effort involved.

Sorry you've been unlucky, but I've bought brand new Dell and Lenovo laptops and slapped Fedora on them and they just worked with no driver BS involved. Literally did this just a few months ago.

Ubuntu/Debian tend to take longer to support brand new hardware because they're more conservative with kernel updates, but you can also just use the System76 PPA to get a super-recent kernel on Ubuntu. But faster-paced or rolling distros like Fedora or Manjaro are best for that kind of thing.

I haven't had a single GPU-related issue, AMD or nVidia, for about a decade, if you're willing to go with non-free drivers.

I think your experience is the outlier and not that the other person was "unlucky". Screen sharing is not working on a "mobile desktop" Thinkpad laptop with Red Hat Linux, a paid Linux distribution no less, freshly installed due to poor communication between several screen sharing apps and drivers or just poor drivers. Outlook is not available for Linux. And the least keeps on going.

> I haven't had a single GPU-related issue, AMD or nVidia, for about a decade

While I might be off-base, I would wager that you have probably forgotten and not noticed the amount of times you have debugged these things and other driver-related issues.

No, I hate debugging on personal machines. I really haven't had GPU driver issues for 10 years on any of my Linux machines, and it's a pretty eclectic mix of Ubuntu, Fedora, Manjaro, and now one Steam Deck on SteamOS.

GNOME isn't an OS is it, so how is it superior to Windows and macOS? It's just a desktop shell as far as I know. So even that shows the downsides of Linux: "Hey, try GNOME." "Ok, what distribution?"

I used to be a heavy Macbook user but am no longer. I use Windows because it simply has the least amount of friction. Every time I try Linux for anything other than a certain style of software development, it's an endless chain of web searching and configuration. Windows is far superior to macOS in terms of memory management. On a high-end Macbook Pro with 16GB, I am almost always maxed out, and the Macbook can't even drive my monitor properly with a dedicated graphics card. Mouse and keyboard settings reset every other day. I can't even imagine how much time I would have to spend setting up just my monitor, webcam, mouse, and keyboard setup with Linux, if drivers and applications are even available. My Windows laptops and desktops don't have any of these issues.

Other than the fingerprint scanner thing on my touchpad I haven’t encountered a non- working out of the box piece of hardware on a laptop for so long I don’t even know how long its been.

And apparently the fingerprint scanner works but I just never got around to it because I don’t care.

So, I have spent zero minutes setting up hardware on Linux in at least the last 15 years and then it was one of those hand tracking things the company donated to the Blender Foundation that I ended up with which was experimental so didn’t have drivers in the distro.

I am pointing at GNOME because from my experience you can basically substitute any of the big distros these days and get a near identical experience.

What webcam, mouse, or keyboard doesn't work with Linux? I have not run into one, and I have several weird ones like the Tap keyboard.

This is more or less the opposite of my experience which has seen Linux installs get so easy that I can guide my 84yo mother over the "phone" (Nextcloud Talk but you get the idea) through one where installing Windows on the same hardware is (if not impossible) a lot harder due to the need to get hold of and install vendor drivers. The same goes for installing applications where sudo apt install name_of_application is far easier that find installable on web, make sure it does not come with a bunch of spy/malware, run installer, answer inane questions to be left with yet another auto-updating program built in a toolkit which looks radically different from all the other ones on the system.

Is the Linux experience perfect? Certainly not, there can be hiccups - try guiding someone on the other side of a phone line through connecting one of those Dell USB3 docks which needs that Synaptic-provided DisplayPort driver - but compared to Windows it is a breath of fresh air. Since Linux in general only serves one master - you - where Windows has to serve at least two - Microsoft first, you may come in second but it is quite possible for some other vendors to push themselves in front of that queue - this is hardly surprising.

Because I only have room in my apartment for one PC, and I want something that can do all my work, but also play games, do hobby dev with my Index VR headset, do good photo and video editing with the software I already know how to use, etc..

I have nothing against Linux (or MacOS), and it was a fair question.. =)

I think for lots of people it would be a very suitable choice, and if I had a "work only" machine, I would absolutely consider Linux, probably even over MacOS at this point..

But for my specific uses, Windows (with WSL2) lets me do all the things I want to with one machine, so it's the winner.

I hope to not start a flame war, but for "modern GUI on top, Unix-like shell underneath" I am extremely happy with KDE 5. I run it on Kubuntu, which is Ubuntu with stock KDE. It perfectly handles multiple monitors and desktops, I can move windows from one monitor to another via keyboard shortcut, Window-on-Top, and the killer feature highlight-to-copy and middle-click-to-paste which is about the only thing I do with the mouse.

The only thing I've had to add to it is an addon called Owl for accessing MS Exchange with Thunderbird at my previous employer. But stock Thunderbird is good enough for accessing Office 365 where I work now.

That's what I ran at my old job and I definitely miss it at my new one, where what I have is Windows with MSYS2 and WSL.

Plasma feels more predictable to me than Windows does, and I really like what it builds into the desktop environment itself. The essentials— window management, the volume mixer, global keyboard shortcut configuration, the panels, the desktop, compose key support, the default terminal emulator, the network management applet, display configuration, the default GUI text editor, the file manager, etc.— all feel just right to me, with very little tweaking required. What configuration is required is straightforward in the GUI and super easy to automate or save in my dotfiles.

Some of this is my own habituation to Plasma's quirks over the years, and some of it is my usage patterns not intersecting with open issues that Windows users would likely find strange. But I do think it's genuinely a wildly underrated desktop that a lot of developers would quickly come to love if they gave it a chance.

I'm honestly glad to hear that KDE and Linux are so viable as daily driver desktop environments now. I haven't looked at KDE in a long time...

Absolutely. Windows is the most popular desktop Linux distro.

I LOL'd but then was a bit depressed when it dawned on me you could well be right.

What machine do you use?

I built it myself, it's based around an AMD 5900x CPU.

My main workstation runs Linux. It has a second GPU (NVIDIA RTX 2080 Super), USB 3.1 card, and an NVMe drive passed to a guest via PCIe passthrough.[1] I have a 2x2 DisplayPort 1.4 KVM to drive my monitors with the host GPU on one side, and the guest GPU on the other side. The peripherals are connected to the host through any open USB port, and the guest through the PCIe add-in card.

Audio is handled with Scream[2] mostly so I can get >65536Hz sample rate. (Really terrible things seem to happen if you try to boot a qemu guest w/ the emulated audio attached to pipewire-pulse when the DSP graph has a 96/192KHz sample rate. I've also had latency issues in the past w/ bonafide pulseaudio and the emulated audio card.) I do all my gaming and most of my browsing inside the Windows VM, which is bridged to my usual data VLAN. The linux host is where I do development work which lives on a separate experimental VLAN.

Other than that I run a few LXC containers for various services needed for running the LAN. (DNS, mail, VPNs, etc.) - I just want that stuff logically separated so that they can either (a) be moved to my new workstation in 2024, or (b) if one breaks it can just be rebuilt from scratch without affecting the others. It's also nice because I can use whatever distro works best for that particular package.

[1]: https://wiki.archlinux.org/title/PCI_passthrough_via_OVMF

[2]: https://github.com/duncanthrax/scream

I use VMs to serve Plex and the software I run around Plex to make it fun and useful. I have a few NUCs that run ESXi, and in turn, my aforementioned VMs. The last time I rebuilt the box, I was considering going back to bare metal for Plex (at least), but the ability to treat the VM as effectively ephemeral but also backed up in case something happened is very useful. It is also theoretically portable if I got a second one and externalized it. I also like to think that virtualizing the machines lets me better carve the otherwise-overpowered host machine and allow it to decide how best to use it's resources, but I haven't actually sat and verified that is what happens.

I use a VM on my work machine to get around Docker Desktop licensing on macOS. I also use VMs on my work and personal machines to test out new-to-me OSes that I want to play with but don't necessarily want to run full time. And once upon a time, I used VMs heavily to write and test Chef cookbooks, but those days are mostly over for me.

Is Plex still able to take advantage of your GPU through virtualization?

Perhaps my understanding is outdated, but I remember a time when the GPU was somewhat limited when virtualized since it potentially needed to be shared as well be exposed through a common layer.

Maybe this doesn't matter for all use cases, but for Plex especially when it's doing transcoding, I'd imagine it's very important.

You are correct, the gpu needs to be passed through. However transcoding can generally be avoided if you pay attention to how you're getting your source material. Also if you aren't transcoding 4k, 1080 is almost trivial now.

I don't use transcoding for Plex at all. I've found it much better to stream directly to a client like Infuse and have it use the client's native hardware decoding. Now granted, this is only really feasible if you're streaming within your own house, but it works great. Plex can be run on any dinky little system that way and have no trouble serving up full bitrate UHD rips.

Direct streaming is great but I wish you could enforce it natively from the server side.

The challenge is getting your friends and family to change the default prefer-transcoding behavior every time they fire up a new client.

I know you can use tricks like tautulli events to terminate transcode streams but they're difficult to deploy and a bad UX for the users even at their best. Better to have Plex tell users something like "This content can't be played at your preferred bitrate X, would you like to use more data to play at full bitrate Y? Yes/No/Always"

My i7-8700t supports GVT-g which lets me split up the igpu for passthrough. I have a Windows VM with HW accel and a Linux VM with HW accel running off a single optiplex micro. Both vms are doing lots of video encoding.

No the OP, last time I tried GPU pass through I needed some specific settings on the mother board (beyond the normal virtualization stuff) that I didn't have. So I didn't get very far.

On the other hand, I was able to very easily get GPU pass through working on Emby inside and LXC container.

SR-IOV I'm pretty sure. I think you can get away with that with direct PCI passthrough, but it's been a good few years since I did that for realsies.

I use VMs for piracy. I use a Linux VM with iptables configured to only allow connections to/from a specific VPN IP/port. This is probably overkill, but it is nice to have everything separated and isolated without having to worry about IP leaks.

Docker. I'd rather have a proper environment I control than whatever bastardization "Docker Desktop" is. It uses VMs in the background anyway.

When I reinstalled Docker recently, it tried to push Docker Desktop for Linux at me quite a bit, which was new from the last time I installed Docker.

In the end, I went and specifically hunted down Docker for use on servers to get an installation without all the Desktop cruft - even on that page [0] there's a big thing advertising Docker Desktop for Linux.

0: https://docs.docker.com/engine/install/

They have to get that sweet corporate money somehow. Teaching people to use Docker Desktop so they pester their employer for a license seems to be the premier way to do it.

Depending on your hardware, Desktop Linux may work much better in a VM on a Windows host than booting the machine directly to it. Far more stable, less screwing with configs to get everything working. You know suspend will work (in the form of saving the VM's state). You get snapshotting, and not just of the disk, which can be really handy. Easy to clone machines for complete isolation of e.g. work projects. Depending on your workflow this can be nicer than one machine with multiple accounts (see again: state-saving suspends, even across host reboots).

Even more true for the BSDs and other, even more obscure operating systems.

Not really viable on portable machines, though. Too much power use. Desktop, however, is great.

I can echo your statements. My NAS runs FreeNAS and I also use Hyper-V to run a VM on my Windows desktop with lots of RAM. Jails on FreeBSD were easy enough to work with on FreeNAS but I prefer for the NAS to be a NAS. It runs on an i3 with ECC memory.

I run a Linux VM on my Windows work machine so that I can safely access my personal accounts on the web. I am allowed to access my personal email, bank accounts, etc on my work computer; but they have a web filtering agent installed with certs that MITM everything. In the VM I'm subject to a more restrictive filter, but without the certs or agent they can't MITM.

If you can, the best is not do anything personal on your work machine. A VM doesn't offer your any privacy if a rogue admin really want to spy on you.

The latest macOS doesn't support my printer out of the box anymore but it's still supported on Linux, so I just passthrough the printer and print from there. Strange times.

Pretty funny considering that CUPS is an Apple project and has been maintained by an Apple engineer for years.

It's probably because they just focused on IPPAnywhere which is a pretty good idea, just a bummer that the whole PPD train got derailed because of it.

Another highly likely possibility is a proprietary filter from the printer manufacturer that wasn't complied as a universal binary or compiled with i386 dependencies and thus won't run on x64-only versions of the OS.

I've been banned from selling on eBay and I get around it by having multiple Windows 10 VMs (running on proxmox) with 4G USB dongles passed through to each machine. It keeps everything tidy with no chance of me ever making a mistake and getting found out.

This might be silly to mention, but wouldn’t a VPN suffice? Even a VPN set to “always on” in a VM? Another option would be to stand up a t2.micro on AWS and then dynamic port forward web traffic via “ssh -D 7777 $awshost” and use a browser proxy.

eBay isn't just looking at source IP addresses, they do other types of fingerprinting as well.

Do tell! I'll be terribly disappointed if you say something like "browser fingerprinting" though.

For example: https://www.bleepingcomputer.com/news/security/ebay-port-sca...

What exactly are you selling?

Thousands of different items that I import from China. I've got a lot of money invested in inventory so I can't risk having my business shutdown by eBay's algorithm or $2/h "service" team again. eBay stealth OPSEC is the only way to have any sort of job security in this game.

I used to use one for games.

I had a GPU (even two in SLi with hacked drivers at one point) passed through to the VM and used it for Windows / games (with a Linux host).

I've abandoned it since gaming on Linux itself has been proving alright

I still have my setup in case friends want to play multiplayer games that are sadly behind anti-cheat. Was a bit annoying to set up but otherwise a fun exercise and good bragging rights.

I use Linux as my main operating system now, the only drawback is that there's no audio when I stream through discord.

Oh definitely, anti-cheat/multiplayer games still benefit from it.

I've been toying with the idea of setting this up again -- I still have the highly-tuned XML definition for libvirt. I just ran out of PCI-e slots and I'm down to one beefy GPU -- having a lower power one for the host head is nice.

I actually had some success bypassing some anti-VM anticheats -- particularly, ESEA.

Valorant was the only one I 'gave up' on, the usual approaches didn't work and having not played it, wasn't really worth the investment.

Yeah, browser based audio capture with discord and zoom have been the biggest pain point of my linux desktop usage.

I use them for many things, but most recently I found myself using a VM to avoid installing tracking software (essentially malware) required by my employer. I don't turn it on unless someone asks questions, and otherwise can go about my business without fear of being monitored.

Just a heads up, a lot of endpoint detection and response runs at the kernel level and can view network traffic if you’re running in bridged mode.

I appreciate the heads up, but I specifically put this VM on hardware I don't use for anything else, just in case it has more access than it should. I also blocked as much outbound traffic as I could.

Are VLANs enough to mitigate this?

As a concrete example let's say I have an interface on the host sitting on a trunk port receiving tagged traffic. It exposes two such VLANs as pseudo-devices "nic.10" and "nic.20" which are enslaved to "bridge10" and "bridge20" respectively. If I have a VM with a virtual NIC sitting on bridge10, the guest kernel shouldn't be able to see traffic on bridge20, right? (Assuming nothing above the guest is doing L2/L3 forwarding between the two VLANs.)

Sure, as long as everything is configured correctly and you trust the network stack on the host connected to the trunk port.

I use a similar configuration on my three ESXi hosts, with a pair of Ethernet ports on each host LACP bonded to a trunk port channel on the physical switch, a separate port group per VLAN on the virtual switches, and all L3 features disabled on the physical switch, so traffic only passes between VLANs through a dedicated router VM with strict firewall rules in place. Works great.

Job provides Windows or Mac but I prefer to use Linux. So I installed Linux in VM and do all the work in it. VMWare Workstation is rock solid with great performance. I boot Windows, then Linux in VMWare Workstation, go full screen and never look at Windows again for the whole day.

My last job gave me a Mac and I installed Linux on it with rEFInd [1]. But of course this won't work on M1 macs. And sometimes there's "company policy" blocking it sadly.

[1] https://www.rodsbooks.com/refind/

There are a lot of prebuilt VM's around, you might get some ideas there:

https://app.vagrantup.com/boxes/search?page=1

https://www.osboxes.org/virtualbox-images/

I use Parallels to run windows on a Mac, a pretty common use. I've heard of people running game servers in VM's e.g. Minecraft

I still use the fool out of vagrant. I often have to write small tools that run across 10000s of servers running various versions of OSes (but all x86 these days, thankfully). Almost always I need to hit /proc, /sys, and various glibc versions, so having a full kernel and user space is better than fussing with Docker.

It lets me test against all of them pretty easily. Tear down, spin up, repeat.

I learned that various versions of RHEL6 kernels have stuff like epoll() but others don’t and it’s not everything after kernel version X.Y. Joy.

Better than before when I had to support HP-UX, Solaris, AIX, etc. At least I have a consistent shell and least common denominator tools. That was like old school browser detection.

But yeah, a lot of focus on doing work without stressing the machine at all to not impact business workloads. Not my “day job”, but get pulled into emergencies because folks trust that I’ll do it. Log4j2 detection/validation was not fun. That was a “real cli” with a degraded pure shell fallback. And due to the lack of predictably, that was a try, fail, degrade. Nested jars/wars/ears suck when you can’t just play in memory.

I run macOS with virtualbox locally, but can get all the Linuxes I need and quickly ruby/shell a test harness.

Only annoying thing is remembering to remove them all when I’m done to get that disk back.

Tl; dr: this setup is probably very close to the GPU pass-through (with a twist) many folks are using for GPU-heavy use-cases in a VM already, so not sure if it could be classified as unusual.

At work, we use VMs with NIC virtual function interfaces (https://www.kernel.org/doc/html/latest/driver-api/vfio.html) from the hypervisor for first line of validation for our product (full disclosure: part of the quality and automation team at StorPool Storage), so that we can have an environment both close to the production systems with network hardware acceleration enabled in the VM (i.e. kernel bypass) and easy to reproduce and re-create. There are some limitations and setup quirks with different orchestrations, but they are not live-migrated anyway, so not really an issue.

At home the main usage is for isolated environments (not unusual), and recently to be able to access a ZFS in an older Freenas/Freebsd zpool drive (the Ubuntu ZFSoL could not detect it for some reason, haven't looked into it more). I was a bit surprised that passing through the whole storage controller with the sole SATA disk behind it (the host root OS is on an NVMe) is actually slower than attaching to the VM as virtio raw disk (i.e. /dev/sdN).

https://pi-hole.net/ - an ad blocking proxy DNS server

https://archivebox.io/ - self-hosted internet archiving solution to collect, save, and view sites you want to preserve offline (this is how I bookmark now)

https://photoprism.app/ - self hosted photo, video application (used to store my family photos); I also use https://www.photosync-app.com to sync directly from my iPhone to PhotoPrism

https://gitea.io/ - lightweight code hosting solution (similar to GitHub and I mirror GH repos with this)

https://www.proxmox.com/ - my hypervisor of choice

I use a Windows 10 VM to download Visual Studio and extract the installed compiler to generate a linux docker image with wine and MSVC C++ compiler:

https://github.com/madduci/docker-msvc-cpp

The build tools are provided for free. You don’t need to jump through these hoops.

Have you considered mingw?

Running Photoshop on a Windows VM. There's so much trash Adobe pumps into their products that I don't want this anywhere near my Mac...

Running Linux on my mac. A VM is particularly useful because I can spin one up to install some crapware needed to work and then discard it.

Installing tunnels and certs needed for contract work.

Experimenting with new software environments.

I do not know if it enters the definition but it's my first step for trying "dangerous" stuff, like debugging a macOS kernel extension, or installing an exotic OS.

And of course for learning. For example you can learn a lot about operating systems if you can just run any older version at your will.

Also, you are obviously speaking of virtualization of a given hardware platform but a lot of stuff is modeled as a "virtual machine" in the generalized sense - e.g. the pickle Python format.

Running Linux desktops on a Windows system, and vice-versa, for development, testing or simply running some program without having to move to a different room and power up the desktop system, for example.

Testing and playing with older systems (Windows 9x, Linux distros from the 90s) for fun and kicks (or to compile some sutpidly old tarball of something that sounds interesting or fun but hasn't been updated in 15 years)

Building network meshes to play around with running BGP, OSPF etc. on FRRouting

I develop in an Ubuntu Multipass VM on my M1 MacBook Air. It's great -- I get all the GUI/ecosystem niceties of macOS, but work in "real" Linux. I mount my Mac home folder on the Ubuntu VM, so in a way this is kind of like "WSL for macOS" -- I sometimes even forget that I'm not actually on my Mac, it's so seamless.

For a while I was using Parallels and/or UTM, but honestly (perhaps due to my /r/unixporn addiction), not having the option of a GUI on the Linux VM is great (well, it's technically possible with Multipass, but it's a bit involved). For work, I prefer to treat Linux as command line-only, nothing more -- "OS as IDE," that whole thing.

Since it's a VM, I'm happy to just blow it away and start over if I screw something up (though, the lack of a DE greatly simplifies and reduces the number of things that can go wrong). I have a single repo with all my dotfiles, and if I pull that down and symlink a few things, I have my old environment up and running in minutes. I've been meaning to look into nix, but haven't yet since it's known to have such a steep learning curve. For now, though, this is working great; my needs are so simple and my tools so few that I honestly don't know if the juice will be worth the squeeze.

I also tend to keep my Mac pretty clean and "unpolluted," as I generally create bespoke build environments in VMs. So even the Mac is fungible.

I've honestly never been happier with a dev machine/environment. No more weird macOS/Linux inconsistencies, hardly any maintenance overhead, aside from customizing my dotfiles (which I really enjoy -- it's like gardening, in a way). It all just works.

I have a DVD-A ripper that only runs on Windows. Because I use a Mac, I primarily use a Windows VM just to rip DVD-A disks.

(DVD-A is a variant of the DVD format where audio is lossless, compressed using MLP. (Very similar to FLAC.) In general, DVD-A is 100% obsolete because Bluray supports lossless audio over HDMI without a special player. Unfortunately, some artists still release on DVD-A for reasons I don't fully understand.)

On my bare-metal server I use VMs to isolate certain network concerns like my mail server and my VPN (WireGuard) server. Regarding WireGuard, this was necessary because the host (Debian Buster) does not (or rather: did not) support it. Furthermore, I do not want to allow the host OS (and the services running in Docker) access to my internal networks.

My VMs are managed using libvirt/virt-manager (over SSH).

You can run WireGuard in a docker client without giving it access to your internal networks.

Yes, a network namespace is all it takes. However, kernel support for WireGuard is still required. Debian Buster didn't have it back then.

Malware analysis. I run Windows malware on FLARE VM with all traffic routed to REMnux, a Linux distro that emulates internet services with INetSim.

I work in industrial controls and I have probably at least a dozen different VMs for all of the various programming softwares (each brand of PLC generally has their own proprietary software stack) and versions. Some of these things really don't play nice together and have the tendency to "blow up" now and again, where the whole OS needs to be nuked and reinstalled from scratch. Some programs are a nightmare to get working right and it's nice to be able to share working VMs with my coworkers.

IT also can't get their grubby fingers on the software inside and break anything. I also don't even have admin rights to change my network settings on my host OS, which is 100% required for the job as I need to connect to machine networks running a static IP. With VMs, I can get a USB Ethernet dongle and give it to the VM and get network control that way.

These days I do almost nothing on my host OS.

Not strictly VMs but I love to work on remote containers, like Github Codespaces.

Made my side projects much easier to work and collaborate with.

I only use VMs to run other operating systems on the server, for all other purposes I use containers. For example, some document servers insist on running on Windows while I insist on not running Windows. The solution is found in a VM which I fire up on demand when I need to access something from that server, accessed through (web)VNC. Once done I terminate the VM. All other services are run in containers, VMs and containers managed through Proxmox:

qm start 600 to start ELSA, the VAG document server. Connect through VNC, find whatever was needed followed by qm shutdown 600

pct start 209 to start the Debian-stable build server, connect through SSH, build whatever is needed, package and copy the result out of the container followed by pct shutdown 209

pct start 208 starts the bookkeeping server, pct start 501 for the backup router, etc.

Testing features on Linux. Sounds dumb a d obvious, but if you use a windows laptop for work, being able to pipe into a Linux VM that is corporate approved is nice. Also use it for certain debuggers that aren't supported on my host OS. Basically as a stitch in for the fact I can't use Linux at work.

Why not WSL2?

I recently brought up a Windows 10 VM and a couple Debian, FreeBSD, and OpenBSD VMs to test building C software on multiple platforms and toolchains. It's notoriously hard to run MSVC on non-Windows platforms, especially my M1 Mac, so having a dedicated build VM is a must for me. I use QEMU on the command line to virtualize everything. Although it was incredibly hard to get both x86_64 and aarch64 Windows reliably working (3+ days of waiting for installers and trial and error, in case you're wondering) it's worth it as now I can use a shell script to boot each VM, rsync a folder full of source files, and then run cmake to check for build errors, all from the host machine. It's kind of close to some form of CI at this point.

Occasional gaming on my wife's work PC (in parallel as she's working there).

VMWare can provide DirectX 11 support for guest OS, and there are many kinds of gaming-friendly remote desktop applications to play remotely from my Linux laptop.

Originally inspired by this LTT video: <https://www.youtube.com/watch?v=-Mgnwn4twZE>, except that I wanted "work" system to have 100% of all resources when "gaming" one is not used (since it's started up only once in a few months). Hence, nothing as fancy as in video: "host" OS is the work system, and "guest" OS is booted up once in a few months for occasional gaming.

I use a VM (wsl) on windows for git. I could run git on windows directly, but I have a whole setup of config files and ssh agent that I already have working on linux, so I just use that. It is a bit annoyingly slow when using it on a repo on the host is though.

I help one of my co-workers out with some industrial work. Its AB Studio 5000 and Wonderware edge. These programs are terrible. They are not backward compatible so the standard thing every control engineer seems to do is have 500 different VMs. One for each version of each individual program. It's bonkers.

Working on industrial equipment even with current technology is like going back 20 years. The controls software ecosystem seems to just barely be accepting version control now. Instead of just directory after directory of duplicates named "XXX - v1.000 - I really deployed this one to plant XXX"

Yeah and full version of Studio 5000 that supports all five IEC PLC languages is $20k in Australia.

And God forbid you have any issues with it and need help, because Rockwell support is $$$$!

Do they have support?

I thought they just had guys that bought you coffee and the odd cake until you had handed over the cash, and then you never see or hear from them again.

From my time back in VMWare, i got into a habit of installing all my desktop apps in their own VMs. This makes switching to a new PC trivial: reinstall install OS, install VMware Desktop, move a folder of VMs. Done.

Very occasionally I need Windows for something, and then a VM would be nice, but Windows has been growing in size lately - so much that I don't want to use it anymore. So now I am trying to make do with just Linux.

Otherwise, I am using VMs for edge compute, caching and cache configuration etc. I think the caches of tomorrow are those that can be fully programmed, safely in a sandbox.

I used to work on unikernels, but I have become less interested simply due to the fact that while people find them interesting, in the end they all want Linux underneath.

I run five VMs at my house on a W2022 machine, running consumer-level hardware.

1. pfsense - It's the router & firewall for my house. runs a openvpn client 2. monitoring - A linux box I can ssh to. Port 22 is forwarded here 3. win11VM - Windows box I can RDP to. It runs 2FA 4. winDC - A windows domain controller for my house 5. transmission - networking forced to go over openvpn for better linux ISO sharing

I use them to reproduce bugs (both my bugs and bugs found by my customers), and give away the resulting disk images, if the software vendor has some difficulty reproducing the bug.

I use VM for many things, most notably, I use it as a development machine for work. I have a VM running Linux, on a separate PC, where I use VSCode SSH extension to develop on that machine, but run VSC on my MacOS. The main reason for this is, that running large applications makes my laptop super slow, but I'm too used to the UI. I just run the builds there, which makes the performance much better, though it poses some challenges at times.

I've been nerd-sniped by an old Forth variant, and with a lot of help from here, got it working... then my retina blew out... (so pause)

It's Linux only, and it's either Ubuntu in a VM, or WSL to get it to compile.

I've tried more than once to get it to compile for windows, where I understand things better, but no go.

PiHole (https://pi-hole.net/) with PiVPN (https://www.pivpn.io/) on one and Huginn (https://github.com/huginn/huginn) on another

I run R in a Debian VM because Gentoo emerge of R fails to compile on my machine and I cannot be bothered to figure out the problem this time.

FWIW I believe this is because R is very hard to compile (lots of dependencies like graphics, Fortran, etc.) -- and one of the R core devs is also a Debian developer! The packaging is a lot of work.

That is, it helps to have the same exact dependency versions as Debian, because that's what the core devs test with. This is a flaw in the distro model IMO ...

The other distros basically have to copy what Debian does, and do it imperfectly as far as I know.

That sounds like a textbook use case for containers instead: different filesystem, same everything else.

At work we're running some self hosted service, issue is, the service is quite old, and the client only works with other old openjdk versions, so the vm runs the client.

I'm also running android-x86[1], for a single mobile game with an x86 port

[1] https://www.android-x86.org/

I have been close to installing a Windows VM only to get proper support for the Microsoft Office suite, which is used a lot at my new job. The browser version available on Linux is just not very good. The worst offense is that it doesn't open template files at all. But the features supported in Excel is also kind of weak.

I release versions of NSIS with a VM of Windows 2000 running Visual C 6. It creates the smallest executables possible.

I use google cloud shell (remote vm or a docker container whatever), it is fast and I can try bunch (most) of things real quick. clone repos, docker-compose up, open web preview. It saves time and keeps local machine clean.

Also I made a script to install a DE and novnc, I can browse in it, and not feel guilty about local firewall.

My HTPC/couch driver is a Windows VM living inside of Unraid. Has been since 2019. Really happy with it. Close to bare-metal performance. Using it for gaming, movies and browsing.

The VM has four cpu cores with a passed through graphics card, sound card and its own SSD. Just to be able to watch 4K HDR content in Kodi.

Follow up question: What do you use to automate setting up a vm, ssh keys, etc? I tried using Ansible and it was like its own DSL, yet another one to learn. At this point, anytime I need to learn a DSL, I am instantly turned off from using that thing. Is there anything better?

Very occasionally: playing old games that don't run well (or at all) on modern operating systems.

I just recently spun up 16 Linux VMs in Virtualbox to simulate industrial scales connecting to my desktop software using Python and performing measurements. I wrote several scripts to copy Python code to each machine with scp and control them using Bash with WSL2 on Windows.

I have a VM running an old Windows 7 license I have, for the sole purpose of being able to continue to using Microsoft Money Sunset Edition. The only two application I run in this VM are Money and Firefox (only to connect to my bank).

I find it a lot easier to find a Docker container with whatever service I want to use vs trying to figure out how to install it locally. Nothing super exotic, but currently I'm running OpenSearch and PostgreSQL in a VM (via Docker).

i write about a product called MAAS, a bare-metal provisioning system. i have a houseful of NUCs of different vintages to provision, but sometimes i want to try odd configurations and/or create error conditions to build troubleshooting doc. LXD VMs are better for this than NUCS, because they are easier and faster to recover when things go south.

also, i use them to do large builds of code on OS versions other than the one i'm running on my laptop. and i use them to test packer-built custom versions of FreeBSD, RHEL, Alma, Rocky, etc., because i can control the interfaces and storage more easily when debugging my packer builds.

A pretty regular one: Some dev / analyst / whatever wants one. Nothing more, nothing less.

I've had great use of VMs when testing more boutique and unsupported software, where I need to test compatibility on various versions of OS

VMs for Windows mostly. We used to also use Vagrant a lot for development, but that's moved to Docker and then Kubernetes. Some of those on some platforms still use VMs on desktop GUIs but those are completely managed.

I use it to play Total Annihilation on LAN. I tried out all the 3rd party patches, nuking firewall/defender with DefenderControl but nothing worked except full virtualization.

I use FreeBSD for bhyve. It works pretty good on my old Lenovo X1 laptop.

Lately with docker it hasn't been as necessary, but I used to run VMs for just about every service so I don't have to worry about other apps being affected by an OS issue.

I use VMs at work. Always hosted in the cloud- to work with GPUs, or deploy some app.

Outside of work, I use VMs for distro-hopping, i.e. regularly trying out new Linux distributions.

To package software for my main hosts. I can avoid installing lots of compiletime dependencies in main hosts and leaving potential garbage of `make install`.

I use VMs mainly as development machines, back in the days in a server locally, nowadays mostly in Azure/AWS mainly to separate clients / software.

Currently, I'm not using them that much. However, I use containers intensively for some workloads like services on my UnRaid server or for development.

Yeah, I'll spin up a VM every once in a while on UnRaid but by and large I only use docker containers. I think the last time I used a VM was a few years ago for some windows-only software I needed for a few hours.

Mostly as a clean slate to run ansible against. That in turn sets up various services.

I could put multiple services on a single vm but split is easier mental model wise

Do you use vagrant with Ansible runner than?

Nope. Homegrown ansible script straight against proxmox command line interface over SSH.

So if I need a new VM I copy an existing inventory section for a VM (which has mem, cpu, NFS mounts etc variables defined), tweak that and run the deploy script with that.

Followed by another ansible script specific to the software piece I'm deploying.

Bit unorthodox (traditionally deploy part is terraform not ansible) but works for me. This is home server though...for cloud VMs I'd use terraform.

At home I use VMs for work environments (usually Ubuntu desktop VMs). Home PC is a gaming computer. All my laptops run Ubuntu.

To run docker/k8s on machines that don't seem to run docker natively (Win 10 and Mac OS X).

Proxmox on my home server with a few VMs for different purposes. Parallels on my MacBook Air M1

Windows Sandbox to run Adobe Flash to access old data rooms.

I used a VM to host my Windows development environment.

To access my bank.

I use VMs when reverse engineering malware.

Make bank payments